IETF Logo Mail Archive

[Ace] Missing Introspection parameter in draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@combitech.com> Tue, 17 August 2021 14:23 UTC

Return-Path: <ludwig.seitz@combitech.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC5A23A178F for <ace@ietfa.amsl.com>; Tue, 17 Aug 2021 07:23:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=combitech.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 93oV0wLDFbO3 for <ace@ietfa.amsl.com>; Tue, 17 Aug 2021 07:23:49 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2062e.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5036F3A178E for <ace@ietf.org>; Tue, 17 Aug 2021 07:23:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C0deFkH755U/HIyzciGHW3yZiopfyaxfvshEqyxg0oKRa5lr0rro3n47JDIdLZeSZn2j/V2GPMKUUsguv68+3J3QAZo+Md8dRbgoJv2HKDyaXDyJsfnuC5c6c8Fk4Zmc9I2LeE+T0lOVHtfnYRWD6aUW/wvjX1AYZL1GW+YZfuSQT9XsAdq0hUn4fPy7GY4AFh+MCeui3N1LGi8qPUH3YNKhQ1HnlGH7vKJReonW0hwKgwB3tTr8rtu5bvMyS9/NC+mGOlX/HAJmMUlsyR1akXeF3iz57BLBXTEBupL5lhUT2spVginQVoLlSN6Yl3iHnv7tgb4s1kgTp6T5vl8S2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HX1auSGE3py+byeOaQoaoxHvCA4Bh9UHiBgjQbe507U=; b=m2uRz8ne5lnJP4mZEoX41PLD2v7c5XW4qrObzug4JagU7AKe/jH4hsMRczGALocgL5wiRTY97U1l5VfFuHPuQGAe5LrfRXbP2bbt0M34/I9zlqm8LjdTkWOM8CEI/BNNxXw2Nw0RMIW4s9VS4jkK4ccbdq7n0Xi09cyMYb2LVGEF3Qh/jkPUIz1O6DBsbAnVAnkbaMy+ZEaSjCJ7ASUMLFeUsp2WuAiQXl/v0cbBiuC/SEffEl5bWpmsaLbR9U+1Jr8iYoNNwRitlfeI8426bOhHZFAudEb1wEpkVL2AqP1xWomtUez7MbqxyE7eDv6enp+6da1bH/XyvaCw6UKwRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=combitech.com; dmarc=pass action=none header.from=combitech.com; dkim=pass header.d=combitech.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=combitech.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HX1auSGE3py+byeOaQoaoxHvCA4Bh9UHiBgjQbe507U=; b=GP2y90VwKpgpLjosPYuMSN0V1NjpZUf2dgmxJymf1BINbw3BAFOs8WfPHk+U7ENMbiLemdzjctPJkEn0NSBoR04OuVvygV/gA7oVIcfOCzv8p6xwH7gCQ/7ITNyAAEZNa5q1601oU8jWyoegmJ079bJaKdzm+f3970j8OfV0OzWEvjKtKukGgQv6fgpmcMPeZyio6QpY+6VejxiHKHzXSyKBMjIlBCFI/81EaWkI8fG65TwkyClKjy+y77sK/moRAmi6uBrHp+vVZHYOBVmDmBKHlbUaxMoA8p9kovckg48bIbbq1m1BZcBYcgOMzrXKd1PuwuNs4IcZKznZUY+dcw==
Received: from AM0PR0302MB3363.eurprd03.prod.outlook.com (2603:10a6:208:c::21) by AM9PR03MB6929.eurprd03.prod.outlook.com (2603:10a6:20b:287::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4415.17; Tue, 17 Aug 2021 14:23:40 +0000
Received: from AM0PR0302MB3363.eurprd03.prod.outlook.com ([fe80::8562:622f:2b59:854a]) by AM0PR0302MB3363.eurprd03.prod.outlook.com ([fe80::8562:622f:2b59:854a%6]) with mapi id 15.20.4415.024; Tue, 17 Aug 2021 14:23:40 +0000
From: Ludwig Seitz <ludwig.seitz@combitech.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Missing Introspection parameter in draft-ietf-ace-oauth-authz
Thread-Index: AdeTccBInk2WnXcwSwu/sx0yJihN+w==
Date: Tue, 17 Aug 2021 14:23:39 +0000
Message-ID: <AM0PR0302MB336360E5A74D2141173E03B49EFE9@AM0PR0302MB3363.eurprd03.prod.outlook.com>
Accept-Language: en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Enabled=true; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_SetDate=2021-08-17T14:06:04Z; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Method=Standard; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Name=Company Confidential; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_SiteId=0d11ac4a-ef5e-423a-803b-e51aacfa43d6; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_ActionId=88313f4b-7828-4413-8f42-a5a6c609bd85; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_ContentBits=0
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=combitech.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d8275320-25dd-46d2-9296-08d9618a9c05
x-ms-traffictypediagnostic: AM9PR03MB6929:
x-microsoft-antispam-prvs: <AM9PR03MB692934DFA50132C31390B8D29EFE9@AM9PR03MB6929.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HY4bzPQ1ZceDy/pka7aNoJUZFM+qyNWntvuo/NVGd+CKJGdqIPB200zYQLi/3OoaeyaBt1En8r5zJmeaoat9fnOrER8nGdDrV+3fYhyuKgrc4ZMkatG7+RBX6NzUYK49g8p/PuRKKaJtN1w6ubuFjSJSkpGjlXCCaCikO01mqJFutHK7klv853G5taOEzuzCuV6PrTZ2uss/J0D7opAjegvg7Edi2jsgrL+DtknDrKwU5YARDgydrQwOO0mkAWY0V5hnHWzz9zVSRTYGd6RVKaTC3guUTqQ2i+kTU1CryqDX3D7agcgMkVyqQopnJjbx4C4sXVQeu1bR4pfupJT+TQL1McPMDEWtvC0c3irWkSWj4j0VcseNWmLK9g7FntutO56QmCRqW4ZHst8CsxhUJBSpRvmMaWbmxPZu1OCpTyN50kN9qdtHwjdLmMfn1rPT8BBU1ZmZycOHRlz8N7I7ZPhAcRW8/xf2Q3A//1yZzXcfYyk2CxhiDWIYgpxxI8JPj1upxkF0l4+BE3ulqmdlk0gsXkPUELdVb3zUQmz0ewDWacW/MpnKaJIw37PMNbR40++KFQa6X5/56FNvejk9aYNXPKva7An2DpPHnNZLNV/zo3ioVi5NAmKYFdIk8DjRwGN1wfaUuUFyGNoGs7lynpm1rDaI66q/6zaBD/qN6ysmOTBQpFE+BD7BDC0NySWMO+kId/+vXrKxEx0GtIQvjrmrA4RNy0opAf3IAeL6cuFmyyvMOIfDjOVDpwSPc3QOYMFIIQqDd+X6Q/2eVzx9qiwVfI5YEBJ5G4vl/I6PLa4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0302MB3363.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39840400004)(366004)(396003)(346002)(376002)(136003)(76116006)(122000001)(52536014)(2906002)(5660300002)(6916009)(66446008)(66946007)(66476007)(64756008)(66556008)(44832011)(38100700002)(83380400001)(66574015)(8936002)(186003)(7696005)(316002)(55016002)(38070700005)(86362001)(8676002)(33656002)(26005)(478600001)(71200400001)(9686003)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: qebDV3pL7wnfayKJjXFG8nRHHds/0jBUPGW/5x9xmLXFzIJTitKfIyU6+lemA4uv/MsFFXLBJu8R4wG5ukM5JxOzU78ORyTmnlIr9C+TvDD8WEaDpGT3vI65PP0nWWTUPh7vRvyVNiOVHzPJ8B0z7rBAlckx+u/mvinBBhGXFR/8tqbI25UYqDZqFwZBinfKwF1hAocOGm+GcyF2SDv2r51WAptVYEaZo2r0xsNmm6PwrYWdvSKR2vgn6tVi1tRb6gWmTh5SIaBhboBcwBDbc14BJuvod3Ulh1b3yfOS7ANCPhIW0JplViOOpJK3tKpUFt5bH7Tq1SuTpj1Ok7hxgfWprLk9P7IGEEru5YnA1Psq2wy0n2nlPcq6BAxnNw/I+JYFTR0K8FL2Hu8o3lMAjc0L3lw9DdGTokkLFDR1bvp1eyZTAFL0QhDFGCg9JsDZlc+LCI/K9ZI5LfqNwPpXEKm9ewjiKy5TSTSjDx3LS8EHreCyIpzCJMe0NG/qqMmaFJd6kPjeOz7f5q1owpeI+6gdNhZMK14HwNvba/ChJXPRCnHabl0HEmUZaKxo6NFswvQWnmDfoXwfMDscPnTC4g81mCWm/1DVIoin7oD/bAq7LCaVXHJcEpCBAsXa9BoqkMMuFuRhrDCNKn/i69dCzab0amXA4hdw+EAw7Dcl92OsjWj4G9Ik5V4XqWGaI36bbugCfrycplP8oC0bqUjQh+wKEcGxw8/cIgfQeaizM0v6Dr5BYoUmgJbkYyhRBnvHtLPp2EAI7jfYrozKcGPKzLontGgpMfc51mFjyq4HaPltMXmRKsTRDfVeRZSmTKKiDxipCAYoS8sIfppRvzD8l7z8QpDYOLvXL6gNPiF2tOWqg9vsaANJvzFIOQ2TCC9mT4IUx2gyITrvuG01htCMSbeTkv8L4vO+vrxw22V1tGF8+HUZFvg951KbdBZH80MD6McsxRh5VuMKDu3YGdJbxGj2vcAyj7ySnxXFpj9aD6MgLEDHY3xu19LqhBGhL9oktJfwWPERa0WwNAc8SWh5Z4yb8q70k7FlOTRf0BOH6YG2TzljC+Ailq3RI1r7iMtx+Bt+0oMDkMuWtvS7aQEm2ra/5bUOlaJlEyXS6pTd8rft83nd+eWagtM1sw60Px7n8BrzVWYIroOFSSCSZTnq8b1Lj49B7Msz/rwsGE9o2EOR4zwwf5KdLgO3K5PIYITq1TAyl+rPwPpdeYBhJHzpTlc6DxgbpDsZn1KC0/zC8GaQcruWCH3n31AE4X2fp/GC9s5aj6Hz/zu9qeO9ZdDcJnl6emvBNZWWebVNln/92S/487cNfvzNM0kkSA76mSJz
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: combitech.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0302MB3363.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d8275320-25dd-46d2-9296-08d9618a9c05
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Aug 2021 14:23:39.9658 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d11ac4a-ef5e-423a-803b-e51aacfa43d6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0cTdxIqA9CM+ma4FdlP9kXemLNc7pK0OW7izUIuhGyW2mwSDYWODC7IVAecNCGT8fbV6BkivtZWTyXBgCtWPZ9hDWpTTka6crHMAl9izT50=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR03MB6929
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/LMLBtEcNMRTJHhHG2PUxmkzk37A>
Subject: [Ace] Missing Introspection parameter in draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Aug 2021 14:23:56 -0000

Hello ACE,

I want to raise one issue for group comments that has come up in conjunction with fixing the IANA nits for draft-ietf-ace-oauth-authz:
In figure 16 we define mappings from OAuth Token introspection parameters to CBOR abbreviations. These parameters (should) correspond to the claims that could be found in e.g., a CWT.
CWT renamed one token claim, namely 'jti' (JWT ID) into 'cti' for CWT ID. However, this is not reflected in the registered Introspection parameters
(https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response) where only 'jti' is registered. This was overlooked when we originally defined the mappings in figure 16.

I would therefore put the following question to the group:

Does anyone object to this draft adding 'cti' as an OAuth introspection parameter?

The corresponding text would go into the list of additional parameters in section 5.9.2 and be something along the lines of:
"cti  OPTIONAL.  The CWT ID parameter has the same meaning and processing rules as the "jti" parameter defined in section 3.1.2. of [RFC 7662] except that the value is a byte string. "

Regards,

Ludwig

--
Ludwig Seitz
Infrastructure Security Analyst
Combitech AB
Djäknegatan 31 . SE-211 35 Malmö . Sweden
Phone: +46 102 160 846
ludwig.seitz@combitech.com . combitech.com This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above of any such misdirection Please consider the environment before printing this e-mail!

v2.23.0 | Report a Bug | By Email